amadey | ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387 | Triage

Sharing

General

Target

ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387
Size

217KB
Sample

240212-w8r4msba2v
MD5

d722704eff46ac5ca68723e9d35e9c81
SHA1

c08f9166337b98a774fd43b771c652bead0b57af
SHA256

ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387
SHA512

80f2c9d8e5f630e1b2b511a7460a31c4b98ff8e628fecba33546205a00c11b5638a484c559b7c466cb7d2f2bc9f92b791fa7ab4e7d15cc55c4a0ff65de7a0e9b
SSDEEP

6144:DHfZ8S+RSDnm9WwgFyzE9P08R5HYjWjm:TfZ8S+ILm9PgFyzO08R5f

Score

10^/10

amadey smokeloader pub1 backdoor spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Targets

- Target
  
  ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387
- Size
  
  217KB
- MD5
  
  d722704eff46ac5ca68723e9d35e9c81
- SHA1
  
  c08f9166337b98a774fd43b771c652bead0b57af
- SHA256
  
  ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387
- SHA512
  
  80f2c9d8e5f630e1b2b511a7460a31c4b98ff8e628fecba33546205a00c11b5638a484c559b7c466cb7d2f2bc9f92b791fa7ab4e7d15cc55c4a0ff65de7a0e9b
- SSDEEP
  
  6144:DHfZ8S+RSDnm9WwgFyzE9P08R5HYjWjm:TfZ8S+ILm9PgFyzO08R5f
Score

10^/10

amadey smokeloader pub1 backdoor spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeysmokeloaderpub1backdoorspywarestealertrojan

behavioral2

amadeysmokeloaderpub1backdoorspywarestealertrojan